On 08/13/2014 05:14 AM, Petr Spacek wrote: > - The application later uses krb5_cc_retrieve_cred() to get > creds.times.endtime value and to check that the ticket is still valid.
You can set an endtimes value in mcreds.times and specify the KRB5_TC_MATCH_TIMES flag, and only credentials which expire after that endtime will be matched. You still need to use krb5_timeofday() to produce an end time relative to the clock-adjusted current time, though. > I can see that krb5_timeofday() from krb5-libs-1.11 does time offset > correction automatically for seconds but not for microseconds. I don't think you need to worry about microseconds when there is a five-minute margin on credential expiration. Plenty of factors will introduce small errors in time computations, including these: the time offset is measured without taking into account communication latency, the clock will have drifted since the initial ticket was acquired, the ticket expiration time was computed without regard to the microseconds value of the current KDC time. If I were present at the time, I would have argued against storing a microseconds value in the file ccache time offset header on YAGNI grounds. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
